Interface trust boundary on 4500 Sup 6E

Hi there

I need to set access ports on a 4500 Sup 6E as untrusted. They trust dscp by default and the config guide appears to say ports can only be set as untrusted if the "trusted boundary" feature is enabled, see below. I presume that this means apply the command "qos trust device cisco-phone" If I configure the command on a disconnected port the port goes into the untrusted state. However most of the ports have phones attached so if I confgure this command on a connected port it detects the phone and sets the port to trust, not what I want. QoS is globally enabled on the 4500 with Sup6E by default and all ports trust by default.

The MQC model does not support the trust feature, which is available in the switch qos model on Supervisor Engines II-Plus through V-10GE. In the MQC model supported on the Supervisor Engine 6-E, the incoming traffic is considered trusted by default. Only when thetrusted boundary feature is enabled on an interface can the port enter untrusted mode. In this mode, the switch marks the DSCP value of an IP packet and the CoS value of the VLAN tag on the Ethernet frame as “0”.

Re: Interface trust boundary on 4500 Sup 6E

Hi there

On closer inspection of the policy map, class default is configured to "set dscp default" Will this set dscp to 0 for all unmatched traffic? I am not currently able to do proper testing of packets across these ports.

class class-default set dscp default

I do also need to set the port operational state to untrusted as the trust boundary must be at the access layer not at end device

Re: Interface trust boundary on 4500 Sup 6E

Yes, set dscp default will set the dscp to interface default value, which is 0 by default.

If the 4500 is positioning at access layer, and you don't want trust the coming packet, you can classify/mark the packet based on the traffic type. If the 4500 is positioning at dist/core layer, then you can just trust the marking. As you said, classification and marking should be done on access layer.

Re: Interface trust boundary on 4500 Sup 6E

The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
view more

The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
view more

IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...
view more